Global Navigation
Office of The Attorney General
The State of New Jersey Office of The Attorney General (Dept. of Law & Public Safety) The State of New Jersey NJ Home Services A to Z Departments/Agencies OAG Frequently Asked Questions
Services A to Z Departments/Agencies OAG Frequently Asked Questions
OAG Home
OAG Contact
spacer
Back to News Releases
OAG Home Attorney General's Biography
Attorney General's Biography
spacer spacer spacer
   
 
spacer spacer spacer
spacer spacer spacer
For Immediate Release: For Further Information:
July 11, 2019

Office of The Attorney General
- Gurbir S. Grewal, Attorney General
Division of Law
- Michelle Miller, Director
Division of Consumer Affairs
- Paul R. Rodríguez, Acting Director
 Media Inquiries-
Lee Moore
609-292-4791
spacer
Citizen Inquiries-
609-984-5828
spacer
spacer spacer spacer
spacer
AG Grewal Announces Settlement with Premera Blue Cross over Data Breach that Exposed Information of over 10 Million Customers
Company Failed to Fix Known Security Problems that Exposed Personal Data to Hacker; Settlement Requires Premera to Strengthen Data Security, Report to States Annually
spacer
spacer spacer spacer
spacer
View Complaint I View Consent Judgment
spacer
spacer spacer spacer
spacer

TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey and 29 other states have reached a settlement with health insurer Premera Blue Cross Blue Shield to resolve allegations that Premera’s inadequate security measures left its network vulnerable to hacking and exposed consumers’ Social Security numbers and sensitive health information to a hacker for ten months in 2014 to 2015.

Under terms of the settlement, Premera must pay the states a total of $10 million. The company also must implement specific data security controls intended to protect personal health information, annually review its security practices and provide data security reports to the participating state attorneys general.

The investigation found that Premera’s inadequate data security exposed to a hacker the protected health information and personal information of more than 10.4 million insureds nationwide. The data breach affected approximately 40,000 New Jersey residents.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said Attorney General Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

A complaint filed today along with the settlement agreement asserts that Premera failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated state consumer protection laws by not addressing known cybersecurity vulnerabilities. New Jersey’s share of the settlement is $72,168.

Separate class action litigation involving the breach resulted in a proposed settlement in June 2019 that would result in a $32 million recovery for affected consumers, and would require Premera to make $42 million in cybersecurity upgrades.

From May 5, 2014 through March 6, 2015, a hacker had unauthorized access to the Premera network containing private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers and email addresses.

In doing so, the hacker took advantage of multiple known weaknesses in Premera’s data security.

Under HIPAA, Premera is required to implement administrative, physical and technical safeguards that reasonably and appropriately protect sensitive consumer information. Premera repeatedly failed to meet these standards, leaving millions of consumer’s sensitive data vulnerable to hacking.

For years prior to the breach, cybersecurity experts and the company’s own auditors repeatedly warned Premera of its inadequate security program, yet the company accepted many of the risks without correcting its practices, the multi-state investigation determined.

The complaint asserts that Premera misled consumers nationwide about its privacy practices in the aftermath of the data breach. After the breach became public, Premera’s call center agents told consumers there was “no reason to believe that any of your information was accessed or misused.” They also told consumers that “there were already significant security measures in place to protect your information,” even though multiple security experts and auditors warned the company of its security vulnerabilities prior to the breach.

Today’s settlement also requires Premera to:

  • Ensure its data security program protects personal health information as required by law.
  • Regularly assess and update its security measures.
  • Provide annual data security reports completed by a third-party security expert approved by the multistate coalition.
  • Hire a chief information security officer, a separate position from the chief information officer. The information security officer must be experienced in data security and HIPAA compliance, and will be responsible for implementing, maintaining and monitoring the company’s security program.
  • Hold regular meetings between the chief information security officer and Premera’s executive management. The information security officer must meet with Premera’s CEO every two months and inform the CEO of any unauthorized intrusion into the Premera network within 48 hours of discovery.

In addition to New Jersey and lead state Washington, today’s multistate settlement with Premera includes: Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah and Vermont.

Deputy Attorney General Elliott M. Siebers, Section Chief in the Division of Law’s Data Privacy and Cybersecurity Section, and former Deputy Attorney General Michelle T. Weiner, handled the Premera matter on behalf of the State.

####
spacer
spacer
OAG on Twitter OAG on Facebook OAG on Instagram OAG on Flicker OAG on YouTube
spacer
Follow the New Jersey Attorney General’s Office online at Twitter, Facebook, Instagram, Flicker & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.
spacer
spacer spacer spacer
spacer
 
News Index Page I top
 
Executive Assistant Attorney General
Attorney General's Message Ask the Attorney General
Contact OAG About OAG
OAG News OAG Frequently Asked Questions
OAG Library Employment
OAG Grants Proposed Rules
OAG History OAG Services A-Z
Statutes
OAG Agencies / Programs / Units
Other News Pages Otras Noticias en Español Division of NJ State Police Division of Law News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Gaming Enforcement News
NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News
   
Contact Us | Privacy Notice | Legal Statement | Accessibility Statement
NJ Home Logo
Departmental: OAG Home | Contact OAG | About OAG | OAG News | OAG FAQs
Statewide: NJ Home | Services A to Z | Departments/Agencies | FAQs
Copyright © State of New Jersey
This page is maintained by OAG Communications. Comments/Questions: email or call 609-292-4925
OAG Home OAG Home NJ State Police News Governor's Office News Division of Highway Traffic Safety News Office of the Insurance Fraud Prosecutor Juvenile Justice Commission News Division on Civil Rights News Division of Consumer Affairs News Division of Criminal Justice News Election Law Enforcement Commission Division of Elections News Division of Gaming Enforcement News Office of Government Integrity News Click to Enlarge Image Click to Enlarge Image Click to Enlarge Graphic Click to enlarge chart Click to enlarge map Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click to Enlarge Click on image to enlarge... Click on image to enlarge... Click to enlarge...Click to enlarge...Click to enlarge...Click to enlarge... Click to enlarge... click to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlargeclick to enlarge click to enlarge Operation Stone Wall Defendants Chart Operation Stone Wall Defendant's Quote "Operation Home Alone" Defendants Chart Social Media and Gaming Apps "Parental Warning" Poster